diff options
| author | Frédéric Buclin <LpSolit@gmail.com> | 2012-01-31 16:39:50 +0100 |
|---|---|---|
| committer | Frédéric Buclin <LpSolit@gmail.com> | 2012-01-31 16:39:50 +0100 |
| commit | 6c81a8674ac77562584d5033561f8b4d947f23bb (patch) | |
| tree | 3f3075c09ff6c31cd4901a6182f15ff6ec87cdf2 /Bugzilla | |
| parent | 907acd417423fe4550d31afe0b16ee15b2ebad18 (diff) | |
| download | bugzilla-6c81a8674ac77562584d5033561f8b4d947f23bb.tar.gz bugzilla-6c81a8674ac77562584d5033561f8b4d947f23bb.tar.xz | |
Bug 714472: (CVE-2012-0448) [SECURITY] utf8 homoglyphs are allowed in email addresses, which could allow an attacker to be CC'ed to private bugs by accident
r=glob a=LpSolit
Diffstat (limited to 'Bugzilla')
| -rw-r--r-- | Bugzilla/FlagType.pm | 2 | ||||
| -rw-r--r-- | Bugzilla/Util.pm | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/Bugzilla/FlagType.pm b/Bugzilla/FlagType.pm index ea81dfe46..b30065a1c 100644 --- a/Bugzilla/FlagType.pm +++ b/Bugzilla/FlagType.pm @@ -310,7 +310,7 @@ sub _check_cc_list { # - do not contain any illegal character. foreach my $address (@addresses) { ($address =~ /^[\w\.\+\-=]+@[\w\.\-]+\.[\w\-]+$/ - && $address !~ /[\\\(\)<>&,;:"\[\] \t\r\n]/) + && $address !~ /[\\\(\)<>&,;:"\[\] \t\r\n\P{ASCII}]/) || ThrowUserError('illegal_email_address', {addr => $address, default => 1}); } diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm index 4c268552b..6d8622e04 100644 --- a/Bugzilla/Util.pm +++ b/Bugzilla/Util.pm @@ -565,7 +565,7 @@ sub generate_random_password { sub validate_email_syntax { my ($addr) = @_; my $match = Bugzilla->params->{'emailregexp'}; - my $ret = ($addr =~ /$match/ && $addr !~ /[\\\(\)<>&,;:"\[\] \t\r\n]/); + my $ret = ($addr =~ /$match/ && $addr !~ /[\\\(\)<>&,;:"\[\] \t\r\n\P{ASCII}]/); if ($ret) { # We assume these checks to suffice to consider the address untainted. trick_taint($_[0]); |